From owner-freebsd-security Sun Dec 7 16:24:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA07090 for security-outgoing; Sun, 7 Dec 1997 16:24:35 -0800 (PST) (envelope-from owner-freebsd-security) Received: from nemesis.psionic.com (nemesis.bipolar.net [209.30.119.58]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA07078 for ; Sun, 7 Dec 1997 16:24:28 -0800 (PST) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com (8.8.8/8.8.5) id SAA12557 for ; Sun, 7 Dec 1997 18:24:31 -0600 X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from nemesis(209.30.119.58) by nemesis.psionic.com via smap (V2.0) id xma012532; Sun, 7 Dec 97 18:24:13 -0600 Date: Sun, 7 Dec 1997 18:24:13 -0600 (CST) From: "Craig H. Rowland" To: freebsd-security@freebsd.org Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hello, >>I though someone could be interested in this program, a port scanner >>which seems more featureful than strobe (a port scanner in the >>FreeBSD ports). > >It's not a port scanner. It's a bad port-scan detector; it's designed to >tell you when things like strobe (excellent program) are run against your >host. It also doesn't work. In general, you need low-level network access >(packet capture) to really detect port-scans, because it's not hard to >find out of a TCB exists without tickling accept(). "Sentry" just binds to >a bunch of ports and trusts that if someone probes one of them, it'll >notice. > I'm the author and have a few points of contention here. This will be my only post to this thread and I apologize for the intrusion. 1) Whether it is a "bad port-scan detector" is open for speculation, although the initial reception has been favorable. It is doing nothing out of the ordinary that other scan detectors do, so I'll just assume I'm average instead of bad. 2) It does work, and works against TCP and UDP scans. Stealth scans are not detected by this program, nor were they designed to be detected. This is clearly stated in the documentation with my reasons as to why I made this deliberate choice. 3) A large number of network probing that I've seen of late does not scan the entire host, but rather targets specific services. It was this light that Sentry was designed. Not to be a true scan detector in the typical sense, but to be a port *probing* detector. 4) Low-level network access is one way to detect a port sweep of a host, but also the most expensive. While I would like to detect all manner of port sweeps, this would violate several of the guidelines used as a base for designing the program. Specifically these were: - Have a simple construction. - Portability. - Use few system resources. - React in real-time to stop probes. This is early release code (version 0.08) and aside from the snprintf calls I use throughout, the code itself will compile on virtually all Unix platforms with no porting. Indeed it was developed on Linux (where the original posting for Beta testers went to), but compiled straight away on BSDI, and other variants. With a minor snprintf tweak, it compiled on Solaris too. All without additional code. The other criteria have been full-filled as well. It uses very little ram, essentially zero CPU time, and can stop probes of a host in real-time. If readers are interested in a network sniffing port scan detector that is capable of detecting stealth scans then you may want to look at synlog: http://www.whitefang.com/synlog.html I've not tried it yet, but from the web page it looks very good. Please bear in mind that Sentry is a new program (0.08) and is in very early testing. I know it's not perfect, but it is improving. I appreciate any comments good or bad. >-- >----------------------------------------------------------------------------- >Thomas H. Ptacek Secure Networks, >Inc. >----------------------------------------------------------------------------- >http://www.enteract.com/~tqbf "mmm... >sacrilicious" Thanks for listening, - -- Craig http://www.psionic.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBNIs9o65kS8WYq/59AQF/cAP/f2hjJeisX1bMC0giChmJg9EDlAVJkkjo wfJSNEfXobs6YnLbFmt4gZfZh0xQVRVB8Ia3gy6UpdjEH1dJlHoibkODHMc87DIG 8FsKB0ecztZyHiS8jcQqGdFe8onHSbvVIeV6LTTbHwT81Mr/wHE8PAvwx4CiBtNr cHplc6pU8SE= =QsXm -----END PGP SIGNATURE-----